DevSecOps Summit: Effective Static Analysis is the Key to Successful DevSecOps
DevSecOps creates more effective security by moving the traditional gate earlier instead of the end of the pipeline, where it’s too late to effectively fix security issues. Static code analysis is the best way to move security as far left as possible by using both early detection checkers for common issues like tainted data as well as secure-by-design coding patterns that harden the code against todays common attacks. However, static analysis has a reputation for being noisy and causing extra work. We will explore tips and tricks to make sure your static analysis is delivering security while avoiding common pitfalls that plague security efforts. Understanding the role of policy and effective choice of available coding standards is an important start, while leveraging standards based risk assessment to prioritize issues based on the impact, severity, and likelihood of security vulnerabilities will ensure that your code is secure and your team appreciates the tools rather than hates them.
Arthur Hicken is an Evagelist for Parasoft and has been involved in automating various practices at Parasoft for over 20 years. He has worked on various projects involving the software development lifecycle, software security, complex web applications, and integration with legacy systems. Arthur Hicken has over 27 years’ experience in software development an application security. Also known as the “Code Curmudgeon” Arthur is an industry advocate for secure coding based on static analysis and participates in industry standards with UL 2900, NIST, CWE, and CERT. He also maintains the popular internet lists “SQL Injection Hall-of-Shame” and “IoT Hall-of-Shame”.